COM S 687 Introduction to Cryptography October 19, 2006

Transcription

1 COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: Non-Malleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 Non-Malleability Until this point we have discussed encryptions that prevent a passive attacker from discovering any information about messages that are sent. In some situations, however, we may want to prevent an attacker from creating a new message from a given encryption. Consider an auction for example. Suppose the Bidder Bob is trying to send a message containing his bid to the Auctioneer Alice. Private key encryption could prevent an attacker Eve from knowing what Bob bids, but if she could construct a message that contained one more than Bob s bid, then she could win the auction. We say that an encryption scheme that prevents these kinds of attacks is non-malleable. Informally, if a scheme is non-malleable, then it is impossible to output an encrypted message containing any function of a given encrypted message. Formally, we have the following definition: Definition 1 (Non-Malleability) Let (Gen, Enc, Dec) be an encryption scheme. Let NM(m, A) be the output of the following experiment: 1. k Gen(1 m ) 2. c Enc k (m) 3. c 1, c 2, c 3,..., c l A(c, 1 m ) 4. m i if c i = c and Dec k (c i ) otherwise 5. output (m 1, m 2,...,m l ) Then (Gen, Enc, Dec) is non-malleable if for every non-uniform PPT A, and for every non-uniform PPT D, there exists a negligible ǫ such that for all m 0, m 1 {0, 1} n, Pr [D(NM(m 0, A)) = 1] Pr [D(NM(m 1, A)) = 1] ǫ(n) One non-trivial aspect of this definition is the conversion to of queries that have already been made (step 4). Clearly without this, the definition would be trivially unsatisfiable, because the attacker could simply forge the encryptions that they have already seen by replaying them. 16-1

2 1.1 Relation Based Non-Malleability We chose this definition because it mirrors our definition of secrecy in a satisfying way. However, an earlier and arguably more natural definition can be given by formalizing the intuitive notion that the attacker cannot output an encryption of a message that is related to a given message. For example, we might consider the relation R next (x) = {x + 1}, or the relation R within-one (x) = {x 1, x, x + 1}. We want to ensure that the encryption of x doesn t help the attacker encrypt an element of R(x). Formally: Definition 2 (Relation Based Non-Malleability) We say that an encryption scheme (Gen, Enc, Dec) is relation based non-malleable if for every PPT adversary A there exists a PPT simulator S such that for all PPT-recognizable relations R, there exists a negligible ǫ such that for all m M with m = n, and for all z, it holds that Pr[NM(A(z), m) R(m)] Pr[k Gen(1 n ); c S(1 n, z); m = Dec k (c) : m R(m)] where i ranges from 1 to a polynomial of n and NM is defined as above. This definition is equivalent to the non-relational definition given above. < ǫ Theorem 1 (Enc, Dec, Gen) is a non-malleable encryption scheme if and only if it is a relation-based non-malleable encryption scheme. Proof. ( ) Assume that the scheme is non-malleable by the first definition. For any given adversary A, we need to produce a simulator S that hits any given relation R as often as A does. Let S be the machine that performs the first 3 steps of NM(A(z), m ) and outputs the sequence of cyphertexts, and let D be the distinguisher for the relation R. Then Pr[NM(A(z), m) R(m)] Pr[k Gen(1 n ); c S(1 n, z); m = Dec k (c) : m R(m)] = Pr[D(NM(A(z), m))] Pr[D(NM(A(z), m ))] ǫ as required. ( ) Now, assume that the scheme is relation-based non-malleable. Given an adversary A, we know there exists a simulator S that outputs related encryptions as well as A does. The relation-based definition tells us that NM(A(z), m 0 ) Dec(S()) and Dec(S()) NM(A(z), m 1 ). Thus, by the polynomial jump lemma, NM(A(z), m 0 ) NM(A(z), m 1 ) which is the first definition of non-malleability. 16-2

3 1.2 Non-Malleability and Secrecy Note that non-malleability is a distinct concept from secrecy. For example, one-time pad is perfectly secret, yet is not non-malleable (since one can easily produce the encryption of a b give then encryption of a, for example). However, if we consider CCA2 attacks, then the two definitions coincide. Theorem 2 An encryption scheme Σ = (Enc, Dec, Gen) is CCA2 secret if and only if it is CCA2 non-malleable Proof sketch. If Σ is not CCA2 non-malleable, then a CCA2 attacker can break secrecy by changing the provided encryption into a related encryption, using the decryption oracle on the related message, and then distinguishing the unencrypted related messages. Similarly, if Σ is not CCA2 secret, then a CCA2 attacker can break non-malleability by simply decrypting the cyphertext, applying a function, and then re-encrypting the modified message. 2 Public Key Encryption Thus far we have considered private key encryption schemes where the encrypter and the decrypter share a common secret. This means that they are forced to meet in advance and agree on a secret. Ideally, we would like to drop this requirement. At first blush this seems impossible. Certainly the decryptor needs a key or else there is nothing preventing an attacker from doing the same thing that the decryptor does. Moreover, the encryptor needs the key because otherwise the key cannot help to decrypt the cyphertext. The flaw in this argument is that there is no need for the encrypter and the decryptor to have the same key, and in fact this is how public key cryptography works. We split the key into a secret decryption key S k and a public encryption key P k. The public key is published in a secure repository, where anyone can use it to encrypt messages. The private key is kept by the recipient, so that only she can decrypt. We define a public key encryption scheme as follows: Definition 3 (public key encryption scheme) A triple (Gen, Enc, Dec) is a public key encryption scheme over a message space M if 1. Gen is a PPT that outputs a pair P k, S k 2. Enc is a PPT that given P k and m produces a cyphertext c 16-3

4 3. Dec is a PPT that given c and S k produces a message m 4. For all m M and for all p k, s k Gen(1 k ), Dec Sk (Enc Pk (m)) = m Definition 4 (Secure PK Encryption) We say that a public key encryption scheme is secure if for every non-uniform PPT A, there exists a negligible ǫ such that for all messages m 0 and m 1 with m 0 = m 1, it holds that Pr[P k, S k Gen(1 n ) : A(P k, Enc Pk (m 0 )) = 1] Pr[P k, S k Gen(1 n ) : A(P k, Enc Pk (m 1 )) = 1] ǫ These definitions can be extended in a straightforward manner to get appropriate definitions for CPA security, as well as CCA1 and CCA2 security. Since the public key is available to the attacker, CPA security comes almost for free, but CCA1 and CCA2 secure schemes are much harder to come by. With these definitions, there are some immediate impossibility results: perfect secrecy it is clearly impossible to do perfect public-key secrecy, since an unbounded adversary could simply encrypt every message with every random string and lookup the cyphertext deterministic encryption it is impossible to have a deterministic encryption algorithm, because with a deterministic encryption algorithm, the encrypt and compare strategy easily distinguishes between messages. In addition, it is a straightforward excercise to show that single-message security implies many-message security. 2.1 Constructing a PK encryption system Trapdoor permutations seem to fit the requirements for a public key cryptosystem. We could let the public key be the index i of the function to apply, and the private key be the trapdoor t. Then we might consider Enc(m, i) = f i (m), and Dec(c, i, t) = fi 1 (c). This makes it easy to encrypt, and easy to decrypt with the public key, and hard to decrypt without. Using the RSA function defined in lecture 7, this construction yields the commonly used RSA cryptosystem. However, according to our definition, this construction does not yield a secure encryption scheme. In particular, it is deterministic, so it is subject to comparison attacks. A better scheme (for single-bit messages) is to let Enc(x, i) = {r {0, 1} n : f i (r), b(r) m } 16-4

5 where b is a hardcore bit for f. This scheme is secure, because distinguishing encryptions of 0 and 1 is essentially the same as recognizing the hardcore bit of a OWP, which we have argued is infeasible. 16-5